[hunt]
author = "Elastic"
name = "Unusual Library Load via Python"
uuid = "d9b30b84-dc53-413c-a7e4-f42078b10048"
description = """
Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.
"""
integration = ["endpoint"]
language = ["EQL"]
license = "Elastic License v2"
mitre = ["T1059.006"]
notes = [
  "Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.",
  "This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.",
  "Consider tuning to exclude known development or research environments that store legitimate libraries in home directories."
]
query = [
'''
library where event.action == "load" and
  dll.path like "/Users/*" and
  process.name like~ "python*" and
  not dll.name : ("*.so", "*.dylib")
'''
]
references = [
  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
  "https://x.com/safe/status/1897663514975649938",
  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
]